Gentoo Archives: gentoo-security

From: Eilverijus Kondratas <eilwerijus@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] SearchSecurity.com: 'Linux patch problems: Your distro may vary'
Date: Wed, 09 Aug 2006 13:00:25
Message-Id: b2db0fcc0608090553k20147225o4d365b114b076c46@mail.gmail.com
In Reply to: Re: [gentoo-security] SearchSecurity.com: 'Linux patch problems: Your distro may vary' by Vincent Rivellino
1 Hi,
2
3 1) I'm not sure that calculations given in an article are good.
4 Average alone does not give a lot of information. For example:
5
6 (1+90)/2 = 45.5 and (45+46)/2 = 45.5
7
8 it would be similar that 1 point if patch is released very late
9 90 if released very early and 45,46 in the midle. As one can
10 see, release time differs very much, but the average is the
11 same. So average alone does not give a lot of information.
12 Different story would be if together with average there would
13 be standard distribution, average alone is not enough.
14
15 2) I don't think that this calculation can be used for future
16 planings: " what system will be better". Statisticaly we should
17 apply "z" or atleast "t" statistics instead of simple average.
18
19 Generaly speaking, calculations given in an article are the simplest
20 ones tought in primary school. I did not find anything from
21 advanced statistics according to which the rating could be applied.
22
23 elwis
24
25
26 On 8/7/06, Vincent Rivellino <vince@×××××××××.org> wrote:
27 >
28 > -----BEGIN PGP SIGNED MESSAGE-----
29 > Hash: SHA1
30 >
31 > Interesting study. I like the premise of it. However, I'm not sure I
32 > agree with their method. From the article:
33 >
34 > "For instance, if a distribution fixed an issue on the earliest date, it
35 > would receive a score of 100 for that issue; if it was the last vendor to
36 > fix the issue, it would get a score of 0. One can then average the scores
37 > after evaluating the 30 issues."
38 >
39 > So this is just a ranking, with no quantitative results. What I'd really
40 > like to know are the distributions' average response times for the High
41 > and Moderate vulnerabilities.
42 >
43 > While Gentoo might be 6th, I'd like to know how much slower Gentoo gets
44 > out patches than Ubuntu, Fedora, and/or RHEL.
45 >
46 >
47 > - -Vince
48 >
49 >
50 > - --
51 > Vincent Rivellino
52 > GPG Key ID: 62BFEBE4
53 > https://cuz.cx/gpg
54 >
55 >
56 > On Mon, August 7, 2006 07:42, Wolfram Schlich wrote:
57 > > Hi,
58 > >
59 > >
60 > > I just stumbled over an article from SearchSecurity.com which was linked
61 > > to in a heise newsticker posting that tries to analyze how fast
62 > > distributions react to security vulnerabilities:
63 > >
64 > > http://tinyurl.com/lplfb
65 > >
66 > >
67 > > Quick chart:
68 > >
69 > >
70 > > Rank Distro Points/100
71 > > ---- ------------------------- ----------
72 > > 1. Ubuntu 76
73 > > 2. Fedora Core 70
74 > > 3. Red Hat Enterprise Linux 63
75 > > 4. Debian GNU/Linux 61
76 > > 5. Mandriva Linux 54
77 > > 6. Gentoo Linux 39
78 > > 7. Trustix Secure Linux 32
79 > > 8. SUSE Linux Enterprise 32
80 > > 9. Slackware Linux 30
81 > >
82 > >
83 > > Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)
84 > >
85 > >
86 > > Any comments or thoughts about this?
87 > > Can we become better?
88 > > Are we maybe better than the author pretends?
89 > > Does the security team currently face serious problems that need to be
90 > > solved, be it inside or outside the security team?
91 > >
92 > > I am just curious and would be glad to get some feedback :)
93 > > --
94 > > Regards,
95 > > Wolfram Schlich <wschlich@g.o>
96 > > Gentoo Linux * http://dev.gentoo.org/~wschlich/
97 > > --
98 > > gentoo-security@g.o mailing list
99 > >
100 > >
101 >
102 >
103 > -----BEGIN PGP SIGNATURE-----
104 > Version: GnuPG v1.4.4 (GNU/Linux)
105 >
106 > iD8DBQFE12eKhUAfdmK/6+QRAm4sAJ9U4hDbql8b5Du7ELWTclnBdwXONACghkRk
107 > PLfad2L0hjQZ99puzngf4nU=
108 > =/aSm
109 > -----END PGP SIGNATURE-----
110 >
111 > --
112 > gentoo-security@g.o mailing list
113 >
114 >
115
116
117 --
118 Eilverijus Kondratas
119 Master studies in Computer Science
120 Free University of Bozen-Bolzano
121 Italy, Bolzano

Replies

Subject Author
Re: [gentoo-security] SearchSecurity.com: 'Linux patch problems: Your distro may vary' "Brian G. Peterson" <brian@×××××××××.com>